Securities Commission Malaysia’s revised Guidelines on Technology Risk Management comes into effect

The Securities Commission Malaysia (“SC”) issued the revised Guidelines on Technology Risk Management (“GTRM”) on 19 August 2024.
 
The GTRM came into effect on 19 August 2024 in place of an earlier version of the guidelines of the same name issued by the SC on 1 August 2023 (“Original GTRM”).
 
The GTRM supersedes the Guidelines on the Management of Cyber Risk issued by the SC on 31 October 2016  (“GMCR”) as from the date that the GTRM came into effect, i.e. 19 August 2024.
 
Highlights of the GTRM
 
Application and enforcement
 
The GTRM applies to the following capital market entities: 
  • an exchange holding company, stock exchange, derivatives exchange, clearing house and trade repository approved under the Capital Markets and Services Act 2007 (“CMSA”);
  • a central depository approved under the Securities Industry (Central Depositories) Act 1991;
  • a self-regulatory organisation recognised under the CMSA;
  • a private retirement scheme administrator approved under the CMSA;
  • a Capital Markets Services Licence holder;
  • a recognized market operator registered under the CMSA;
  • a registered person provided in Part 2 of Schedule 4 of the CMSA; and
  • a person providing capital market services registered under section 76A of the CMSA, 
(severally a “capital market entity” and collectively “capital market entities”).
 
Capital market entities are expected to assess the application of the GTRM and ensure the extent and degree of implementation commensurate with their respective business operations as well as the level of technology risk exposures.
 
Objective
 
The GTRM seeks to achieve a two-pronged outcome - first, that all capital market entities have a robust and sound technology risk management framework which promotes strong oversight of technology risks in the capital market entity, and second, for the capital market to be cyber resilient.
 
Summary of the requirements
 
Part B of the GTRM sets out the requirements in respect of six specific areas. These are summarised below.
 
1.     Governance 
  • Responsibilities of the board of directors
  • Responsibilities of senior management
  • Cybersecurity Awareness and Training for board, senior management, employees and agents
  • Technology audit requirements 
2.    Technology Risk Management 
  • Requirement to establish a Technology Risk Management Framework (“TRM Framework”) that comprises risk identification, risk assessment, risk mitigation, risk monitoring, review and reporting on the existing and any emerging technology adopted by the capital market entity 
Guidance on each component of the TRM Framework is provided in Appendix 1 of the GTRM.
 
3.    Technology Operations Management 
  • Technology Project Management
  • System Acquisition and Development, System Testing and Acceptance and Access Control Management
  • Cryptography
  • Data Security and Privacy
  • Data Storage
  • Data Disposal
  • Change Management
  • Patch and Technology Obsolescence
  • Network Resilience
  • Operational Resilience
  • IT Disaster Recovery Plan 
4.    Technology Service Provider Management 
  • Due Diligence and Performance Monitoring
  • Cloud Services
  • Contract Management 
5.    Cyber Security Management 
  • Cyber Security Framework
  • Cyber Security Measures and Monitoring
  • Cyber Security Incident Response and Recovery
  • Cyber Security Assessment
  • Cyber Simulation Exercise 
6.    Notification Process to the SC 
  • Notification for Technology-Related Implementation
  • Notification of Technology Incident, Cyber Incident and Near Miss Event 
The forms containing the details to be included in the notifications are set out in Appendix 4 and Appendix 5 of the GTRM.
 
In addition, the GTRM sets out four guiding principles in relation to the adoption of artificial intelligence and machine learning, namely: 
  • Accountability
  • Transparency and Explainability
  • Fairness and Non-Discrimination
  • Practical Accuracy and Reliability 
Refer to Appendix 3 of the GTRM for an elaboration of these principles.
 
To provide further clarity to capital market entities, the SC has also issued a set of revised Frequently Asked Questions on 19 August 2024 in relation to the GTRM.
 
Summary of amendments to the Original GTRM
 
As mentioned above, the GTRM replaces the Original GTRM. According to the SC, the key amendments made to the Original GTRM under the GTRM include the following: 
  • new requirements for capital market entities to submit reports to the SC on near miss events, perform cyber security assessments prior to deployment of a system and conduct penetration testing prior to deployment of new critical systems;
  • a new provision enabling the SC to appoint an independent party to conduct a review on a capital market entity’s compliance with the GTRM, including performing a technology audit, where necessary; and
  • the provision of guidance to capital market entities to use artificial intelligence (AI) and machine learning (ML) in an ethical manner. 
A summary of the amendments introduced under the GTRM is available here.
 
Consequential amendments to other guidelines and documents
 
Arising from the replacement of the GMCR by the GTRM, consequential amendments have been made on 19 August 2024 to the following guidelines and documents issued by the SC to replace references to GMCR with GTRM and to align the relevant requirements in those guidelines and documents with the requirements in the GTRM: 
A summary of the amendments to the above-referred guidelines and documents can be accessed through the links provided above.
 
Alert prepared by Lee Ai Hsian (Partner) and Tan Wei Liang (Senior Associate) of the Corporate Practice of Skrine.
 
 

This alert contains general information only. It does not constitute legal advice nor an expression of legal opinion and should not be relied upon as such. For further information, kindly contact skrine@skrine.com.